$OpenBSD: README,v 1.7 2017/05/29 14:44:40 jasper Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

Radicale will run out of the box but with NO SECURITY.

There are two things you should do to enable security:
enable passwords and enable encryption.

Authentication
==============
To enable simple passwords, edit ${SYSCONFDIR}/radicale/config and change
"type = None" (i.e. passwords are not requested or checked) to
"type = htpasswd".

User password(s) may be created with htpasswd(1); e.g.
"htpasswd ${SYSCONFDIR}/radicale/users username".

As of radicale-0.8p0, the OpenBSD port of Radicale has been modified
to support bcrypt password hashes.

Previous versions required old unix "crypt" or unsalted SHA-1 hashes
of passwords, neither of which are safe.

Users of previous versions should set "htpasswd_encryption = bcrypt"
in ${SYSCONFDIR}/radicale/config and update their saved passwords when
possible (to help with migration, existing SHA hashes stored with a
"{SHA}" prefix in the users file will still work with the new setting).

By default calendars may only be accessed by their owner. To adjust
the rights for calendars please refer to the
${SYSCONFDIR}/radicale/rights file and the upstream documentation on
"Rights Management".

For further authentication options (including deferring authentication
to an existing IMAP server), consult Radicale's documentation.

Encryption
==========
To enable encryption, you need both to change "ssl = False" to
"ssl = True" in file "config", and install a certificate and key in
the files named in "certificate" and "key".
Note that it does not suffice to change these variables to point
at a certificate installed in /etc/ssl because the key
file will be unreadable (/etc/ssl/private has restricted
directory permissions).
Either copy your existing key and certificate to the locations
in ${SYSCONFDIR} and owned by (and only readable by) the user _radicale,
or, generate a self-signed RSA server certificate as described
in ssl(8) (but changing /etc/ssl to ${SYSCONFDIR}/radicale).

Preparing for Radicale 2
========================
Before upgrading to Radicale 2, please run
`${PREFIX}/bin/radicale --export-storage /path/to/storage` with
radicale 1. This exported storage can be used directly by Radicale 2
after the upgrade.
For more information please refer to http://radicale.org/1to2/
